MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c63068f0ff7610cbe73267e9d3c8a4adc977c9fae26f39808d2880f9c79e204. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	3c63068f0ff7610cbe73267e9d3c8a4adc977c9fae26f39808d2880f9c79e204
SHA3-384 hash:	90b58f8c5600dcdbf2d7be847837b96aa201750b4eb1cb9031e08e8b7b7f9475a0608473719fbae9c141359b2651fa86
SHA1 hash:	3751e830bd0d6caa7aaeaa8150af1dd998487998
MD5 hash:	4e496fc0893b49457ba20b10159be839
humanhash:	fifteen-white-football-hot
File name:	SecuriteInfo.com.Win32.PWSX-gen.7758
Download:	download sample
Signature	NetWire Create hunting rule
File size:	1'107'456 bytes
First seen:	2022-09-08 05:35:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:+kNjm5x1NHuimzrpz0fx0UqHLFTDaa1MXTS2CcSvOqt9s1q6pDD63Cm:+kxm5Iimzrpz0fMTDaa1MXTZCl7t9
TLSH	T139352A0621941BA5D07293FC20CCC1728BB99E45E53FD945BFC99CEFF592F2846D22A2
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

362

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

netwire

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.7758

Verdict:

Malicious activity

Analysis date:

2022-09-08 05:36:51 UTC

Tags:

trojan netwire

Link:

https://app.any.run/tasks/2c415775-2174-4a55-b33c-75535ba90901

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/308643/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.7758.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63197f4bd06d9bc4c7aabd16/reports/caa5d84d-ac5e-4de8-a8ab-a464b1ca041a/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NetWire RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/374fce0b-f04a-4443-92a9-7cad2872e67c

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1066893

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: NetWire

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected NetWire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

netwire

Link:

https://mwdb.cert.pl/sample/3c63068f0ff7610cbe73267e9d3c8a4adc977c9fae26f39808d2880f9c79e204/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2022-09-08 05:36:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 40 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hrrqndyp65qqzpttez7j2pekjlojo7e7vytphgai2kea7hdz4ica._file

Verdict:

malicious

Label(s):

netwirerc

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/220908-gak54sbaej/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

212.193.30.230:3345

Unpacked files

SH256 hash:

f48f16024a4d68e0fe5038dca50e21381bea531502996e41fe7344ae002429f1

MD5 hash:

62d1e873ed148af106c54e93c09f468e

SHA1 hash:

ec53d52273a40fd00ad241de45f892fc8795dd05

Detections:

win_netwire_auto

Link:

https://www.unpac.me/results/ca57e589-22b8-4298-8dce-8443b5f216f5/

SH256 hash:

8b533ffaed24e0351e489b14aaac6960b731db189ce7ed0c0c02d4a546af8e63

MD5 hash:

dbc7be56e6e32349315170599c8b333f

SHA1 hash:

d8e5840e3574b87d435e55a65ac648e040871aee

Link:

https://www.unpac.me/results/ca57e589-22b8-4298-8dce-8443b5f216f5/

SH256 hash:

6f900f43f2ad29d674d691ca37b11e6c68e1bb3ffd1473fd3a9cf3d041abe801

MD5 hash:

f9f48f272f088f43356dc04b786fac80

SHA1 hash:

2923e7ad816f557eae4fa3ebda52132b91df1fc2

Link:

https://www.unpac.me/results/ca57e589-22b8-4298-8dce-8443b5f216f5/

SH256 hash:

dd789861d66793eb5c3bd68f200a571cf51d2d3db6ecf8ec670f4f82f7416d4f

MD5 hash:

19643806577ac4e072b5b61b69cab04f

SHA1 hash:

2298066d99e6f19f564c9100f183109674ab3a2e

Detections:

Netwire

win_netwire_auto

win_netwire_g1

Link:

https://www.unpac.me/results/ca57e589-22b8-4298-8dce-8443b5f216f5/

Parent samples :

ae2f65dc73b9f6946ced973c5dd998d53123110a8c7a4ad6d88e7cc56d9e3d6d
84530ed1bbd58c38b85fc93e447d14251cda335b3de5fe9216cf3386758cb0ee
40374376894492fb4f8aa245a8197df99859e2f98b786c344f877813a1a3f224
791667a955fb3cb2833edfc35880b557cf53f9ecba41ac96172606b934e982ba
beb979ea6eb528afbb51885caa428ddfda08172e26bcb1671296b40036ca9ff6
dea08975e4dfcf09c0a223ce08f787cfc0eeaba0ac6f692b3f4c10b7d1cce5d6
b0bb5c54bfd9cf2ca6805612446724b90c433fca894cb97ce1252e700c0f6ac0
9e90590b4333c2a963369cabf3c7671037039829c6d42a51f824356e621dff86
b57ed5956f300093ccca133cf806845cfaf4e11c067188cde5dd484be77a26c3
3c63068f0ff7610cbe73267e9d3c8a4adc977c9fae26f39808d2880f9c79e204
4c504c1ac1adf30de4604cba7720dd35ff80c629f4afd06bbb6cb36c11c05423

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/ca57e589-22b8-4298-8dce-8443b5f216f5/

SH256 hash:

3c63068f0ff7610cbe73267e9d3c8a4adc977c9fae26f39808d2880f9c79e204

MD5 hash:

4e496fc0893b49457ba20b10159be839

SHA1 hash:

3751e830bd0d6caa7aaeaa8150af1dd998487998

Link:

https://www.unpac.me/results/ca57e589-22b8-4298-8dce-8443b5f216f5/

Malware family:

Netwire

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3c63068f0ff7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3c63068f0ff7610cbe73267e9d3c8a4adc977c9fae26f39808d2880f9c79e204

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	MALWARE_Win_NetWire Create hunting rule
Author:	ditekSHen
Description:	Detects NetWire RAT

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_netwire_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.netwire.

Rule name:	win_netwire_w0 Create hunting rule
Author:	Jean-Philippe Teissier / @Jipe_
Description:	NetWiredRC

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/308643/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample